Re: Multiple Authentication Methods... what order?

From: BB (Bernard_at_3exp.com)
Date: 02/05/03 

From: "BB" <Bernard_at_3exp.com>
Date: Wed, 5 Feb 2003 11:20:41 +0800

Refer this kb.
INFO: How IIS Authenticates Browser Clients
http://support.microsoft.com/?id=264921

HOW TO: View or Change Authentication Methods in IIS
http://support.microsoft.com/?id=301457

Rgds.

"kevin" <kevin5290@yahoo.com> wrote in message
news:9149c2c8.0302040619.3939b9a1@posting.google.com...
> Digest authentiation was new in IIS 5.0 if I'm not mistaken. We use
> it for an internal corporate site with Active Directory. All users
> are not a member of the domain. Digest authentication works well with
> realms, so multiple login prompts are not an issue. Most users use
> IE5+. In certain situations, it would be nice to use integrated
> (NTLM) authentication, and if that's not possible, digest, then basic.
> I have seen posts that indicate this is a configurable setting, but
> have not found a MS reference to it.
>
> "Brjann Brekkan" <bbrekkan@nospamhotmail.com> wrote in message
news:<eXodNI9yCHA.2816@TK2MSFTNGP09>...
> > Interesting --- I've never heard of a site using Digest Auth
> >
> > Have you chosen all authentication methods?
> > Are your users using any specific browser? from machines member of
domain?
> >
> > brjann
> > "kevin" <kevin5290@yahoo.com> wrote in message
> > news:9149c2c8.0302030719.130bbe87@posting.google.com...
> > > Is there a configuration setting that controls the order of
> > > authentication methods used during user authentication?
> > >
> > > I'm interested in selecting multiple authentication methods in IIS for
> > > a web site. I have read that if more than one authentication method
> > > is selected, such as NTLM, Basic, Digest, the most secure method is
> > > the one that is used when the user authenticates.
> > >
> > > My real world experience indicates that if Basic and Digest are
> > > turned on for a site, Basic is used for authentication, not Digest. I
> > > want Digest to be chosen before Basic.

Relevant Pages

  • Re: How secure is Digest Mode compared to Integrated Authenticatio
    ... However, Digest is still weak against attacks like man-in-the-middle, ... It is unfortunate that the more secure authentication protocols ... password integrity is. ... b users must authenticate with *some* protocol from the Intranet and ...
    (microsoft.public.inetserver.iis.security)
  • Re: [Full-disclosure] CallManager and OpeSer toll fraud and authentication forward attack
    ... The problem in this case is that once you sniff the digest, ... A worst issue with this described vulnerability is that an attacker can even ... Digest authentication, ...
    (Full-Disclosure)
  • Re: Session authentication
    ... It's not clear what do you mean saying you don't want to use IIS ... > I would like to authenticate/secure an IIS session from a ... > authentication methods) and can not use VPN. ...
    (microsoft.public.win2000.security)
  • Re: How secure is Digest Mode compared to Integrated Authenticatio
    ... document which delineates the weaknesses of Digest mode. ... Configure Integrated authentication on ... b users must authenticate with *some* protocol from the Intranet and ... From a security perspective I know that Basic is not acceptable because it ...
    (microsoft.public.inetserver.iis.security)
  • Re: Scripting.FileSystemObject GetFile method
    ... If you're using "Integrated Windows Authentication" in the Directory Security tab under authentication methods, this only allows IIS to have a security token that grants authenticated users to resources local on the IIS server itself, they won't have network access. ...
    (microsoft.public.inetserver.asp.general)